Fortinet releases 40 security patches for security vulnerabilities

Updated 21st February 2023 – 13:21 UTC

Overview

A proof-of-concept (PoC) exploit code has been released by Horizon for the recently disclosed FortiNAC vulnerability, CVE-2022-39952. The PoC related to the implementation of a cron job (scheduled task) to the /etc/cron.d/ directory, that triggers every 60 seconds. This, in turn, initiates a reverse shell to the threat actor, granting them the ability to perform a remote code execution.

The researchers discovered that the remediation for the vulnerability removed the key parameter, ‘keyUpload.jsp’ and after this being written to a configuration file, the ‘configApplianceXml’ bash script is executed. This implements the ‘unzip’ command, allowing files to be placed within any file path, resulting in the threat actor having the capability to create a ZIP archive containing the associated payload. Following the extraction of the archive, the payload can then be sent to the vulnerable endpoint using the key parameter. The PoC code created by the Horizon researchers automates this process.

Updated Affected Products

Products affected by CVE-2022-39952:
– FortiNAC version 9.4.0
– FortiNAC versions 9.2.0 – 9.2.5
– FortiNAC version 9.1.0 – 9.1.7
– FortiNAC 8.8 all versions
– FortiNAC 8.7 all versions
– FortiNAC 8.6 all versions
– FortiNAC 8.5 all versions
– FortiNAC 8.3 all versions

Updated Containment, Mitigations & Remediations

FortiNAC administrators are strongly recommended to apply the following relevant FortiNAC versions that are not affected by CVE-2022-39952:

– FortiNAC version 9.4.1 or above
– FortiNAC version 9.2.6 or above
– FortiNAC version 9.1.8 or above
– FortiNAC version 7.2.0 or above

Further details can be found on the Fortinet Library Webpage.

Updated Further Information

Horizon3.ai Analysis
Bleeping Computer Article

 

20th February 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Fortinet has released security patches for 40 individual vulnerabilities across the spectrum of their software suite. Two of the vulnerabilities were classified as critical according to CVSS scoring. Of note, an arbitrary code execution and a stack-based buffer overflow vulnerability, being tracked as CVE-2022-39952 (CVSS score: 9.8) and CVE-2021-42756 (CVSS score: 9.3), respectively, were disclosed. The remainder of the vulnerabilities consisted of 15 High, 22 Medium and one Low rated security flaws.

The penetration testing organisation, Horizon3.ai, has stated that they plan to release a proof-of-concept (PoC) code for CVE-2022-39952.

Impact

CVE-2022-39952: An external control of file name or path vulnerability in the FortiNAC web server may allow an unauthenticated threat actor to perform arbitrary write on the system.

CVE-2021-42756: Successful exploitation of this vulnerability could enable an unauthenticated remote threat actor to achieve arbitrary code execution via specifically crafted HTTP requests.

Vulnerability Detection

Fortinet has released patches pertaining to the vulnerabilities for the respective product versions. As such, previous versions are vulnerable to the potential exploits.

Affected Products

Products affected by CVE-2022-39952:
– FortiNAC version 9.4.0
– FortiNAC versions 9.2.0 – 9.2.5
– FortiNAC version 9.1.0 – 9.1.7
– FortiNAC 8.8 all versions
– FortiNAC 8.7 all versions
– FortiNAC 8.6 all versions
– FortiNAC 8.5 all versions
– FortiNAC 8.3 all versions

Products affected by CVE-2021-42756:
– FortiWeb 6.4 all versions
– FortiWeb 6.3.16 and below
– FortiWeb 6.2.6 and below
– FortiWeb 6.1.2 and below
– FortiWeb 6.0.7 and below
– FortiWeb 5.x all versions

Containment, Mitigations & Remediations

It is strongly recommended that the relevant Fortinet patches are applied as soon as possible.

CVE-2022-39952 – Patches have been released for the following FortiNAC versions: 7.2.0, 9.1.8, 9.1.8, and 9.1.8.

CVE-2021-42756 – Patches have been released for the following versions of FortiWeb: 6.0.8, 6.1.3, 6.2.7, 6.3.17, and 7.0.0.

Administrators should also apply updates for the following Fortinet product ranges:

– FortiADC (advanced application delivery controller)
– FortiAnalyzer (log management, analytics, and reporting platform)
– FortiExtender (WAN connections extender)
– FortiOS (operating system used in Fortinet hardware, including FortiGate firewalls)
– FortiProxy (secure web proxy/gateway)
– FortiAuthenticator (user identity management)
– The FortiSwitchManager module
– FortiPortal (portal for service providers)
– FortiSandbox (malware sandbox)
– FortiWAN (multi-WAN management).

Further details regarding each of the 40 vulnerabilities can be found on the Fortiguard Advisory Page.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available at this time.

Threat Landscape

Fortinet occupies a significant proportion of the networking-hardware market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, networking hardware products are a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution

Techniques – Lateral Movement:

T1210 – Exploitation of Remote Services